CN106657130B

CN106657130B - MQTT-based access authentication method and equipment

Info

Publication number: CN106657130B
Application number: CN201710013091.6A
Authority: CN
Inventors: 东升
Original assignee: Shanghai Pudong Software Park Huizhi Software Development Co ltd
Current assignee: Shanghai Pudong Software Park Huizhi Software Development Co ltd
Priority date: 2017-01-09
Filing date: 2017-01-09
Publication date: 2020-05-19
Anticipated expiration: 2037-01-09
Also published as: CN106657130A

Abstract

The method comprises the steps of sending an access authentication request of a client side of the MQTT to server side equipment; sending a subscription subject authentication request to the server equipment based on an access authentication result fed back by the server equipment; sending a published message authentication request to the server equipment based on the result of the subscription theme authentication request fed back by the server equipment; and determining connection with the server side equipment based on the issued message authentication result fed back by the server side equipment. The method and the system realize the access authentication, the subscription authentication and the message authentication of the MQTT client and the management functions of the MQTT equipment, the MQTT equipment owner, the application program and the application program developer in the platform of the Internet of things, reduce the problems caused by configuration errors of the system, and provide a corresponding webpage interface to enable a user to use the system determined by the MQTT client and the server more intuitively.

Description

MQTT-based access authentication method and equipment

Technical Field

The application relates to the field of computers, in particular to an MQTT-based access authentication method and device.

Background

The technology of connecting daily things to the Internet is rapidly developed, and the intelligent park is more and more constructed to meet the requirements of user equipment. In the construction of an intelligent park, an MQTT (message queue telemetry transmission protocol) protocol becomes a generally accepted protocol due to excellent design, aiming at the essential functions of authentication extension and safe transmission success of the MQTT, an authentication mode provided by the currently adopted emqtt scheme depends on a configuration file, and the complexity of the system is greatly increased.

Content of application

An object of the present application is to provide an MQTT-based access authentication method and device, which solve the problem in the prior art that an authentication manner depends on a configuration file, and configuration errors cause.

According to one aspect of the application, there is provided a method of MQTT-based access authentication at a client, the method comprising:

sending the access authentication request of the client of the MQTT to server equipment;

sending a subscription subject authentication request to the server equipment based on an access authentication result fed back by the server equipment;

sending a published message authentication request to the server equipment based on the result of the subscription theme authentication request fed back by the server equipment;

and determining connection with the server side equipment based on the issued message authentication result fed back by the server side equipment.

Further, when the client includes MQTT devices and the MQTT devices own users, sending an access authentication request of the MQTT client to the server device, including:

sending an application request of the MQTT equipment for owning the user and the access key and the encryption key of the MQTT equipment to the server-side equipment;

receiving unique identification information distributed by the server-side equipment to the MQTT equipment;

and sending the access authentication request of the MQTT equipment to server-side equipment based on the access key, the encryption key and the unique identification information.

Further, sending a subscription subject authentication request to the server device based on the access authentication result fed back by the server device, including:

based on the successful access authentication result fed back by the server device, the MQTT device sends the subscription theme authentication request to the server through a theme subscription filter, wherein the theme subscription filter is determined according to the access key, the unique identification information and the control message transmission channel of the user owned by the MQTT device,

or the information is determined according to the access key of the user owned by the MQTT equipment, the unique identification information of the MQTT equipment and the query message transmission channel.

Further, sending a publish message authentication request to the server device based on the result of the subscription topic authentication request fed back by the server device, includes:

and sending the published message authentication request to the server equipment according to the topic name determined in the message based on the successfully subscribed subscription topic authentication request result fed back by the server equipment.

Further, the subject names in the message include: the subject name in the message of the posting message, the subject name in the message of the reply control message, and the subject name in the message of the reply inquiry message,

the method further comprises the following steps:

determining a subject name in a message of the release message according to an access key of the MQTT device owned by a user, the unique identification information of the MQTT device and a data message transmission channel;

determining a subject name in a message of the reply control message according to an access key of the user owned by the MQTT device, the unique identification information of the MQTT device and a control reply message transmission channel;

and determining the subject name in the message replying the query message according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device and the query reply message transmission channel.

Further, the method further comprises:

the method comprises the steps that a personal advice message in a message is a preset MQTT device message character string, and the subject format of the personal advice message is determined according to an access key of a user owned by the MQTT device, the unique identification information of the MQTT device and an offline message transmission channel.

Further, the client includes an MQTT device authorized by an application program development user, and when the MQTT device owns a user, the client sends an access authentication request of the MQTT client to a server device, including:

sending application requests of the application program, the application program development user and an MQTT device owned user authorized by the application program development user and an access key and an encryption key of the MQTT device to the server-side device;

receiving unique identification information respectively distributed by the server-side equipment for the application program and the MQTT equipment;

and sending the access authentication request of the application program to server-side equipment based on the access key, the encryption key, the unique identification information of the MQTT equipment and the unique identification information of the application program.

based on the successful access authentication result fed back by the server device, the application program sends the subscription theme authentication request to the server through a filter of the subscription theme,

wherein the filter for the subscription topic is determined according to at least any one of:

determining the filter according to an access key of an owning user of the MQTT equipment authorized by the application program development user, the unique identification information of the MQTT equipment and a control message transmission channel;

determining the filter according to an access key of an owning user of the MQTT equipment authorized by the application program development user, the unique identification information of the MQTT equipment and a query message transmission channel;

determining the filter according to an access key of a user owning the MQTT equipment authorized by the application program development user, unique identification information of the MQTT equipment and a data message transmission channel;

and determining the filter according to the access key of the user owning the MQTT equipment authorized by the application program development user and the unique identification information of the MQTT equipment.

based on the successful subscribed topic authentication request result fed back by the server-side equipment, the MQTT equipment authorized by the application program sends a published message authentication request to the server-side equipment according to the topic name determined in the message.

Further, the subject names in the message include: a subject name in a message for issuing a control message and a subject name in a message for issuing a query message,

the method further comprises the following steps:

determining the subject name in the message of the release control message according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device and a control message transmission channel;

and determining the subject name in the message for issuing the query message according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device and the query message transmission channel.

Further, the method further comprises:

the system comprises a message processing module, a message processing module and a message display module, wherein the general instruction message in the message is a preset application message character string, and the subject format of the general instruction message is determined according to an access key of an application development user, the unique identification information of the application and an offline message transmission channel.

According to another aspect of the present application, there is provided a method of MQTT-based access authentication at a service device, the method comprising:

authenticating the client based on an access authentication request sent by the MQTT client, and feeding back an access authentication result to the client;

judging whether the client successfully subscribes the theme or not based on the subscription theme authentication request sent by the client, and feeding back the result of the subscription theme authentication request to the client;

and after receiving the message authentication request issued by the client, determining an issued message authentication result according to the service quality in the message, and determining the connection with the client according to the issued message authentication result.

According to another aspect of the present application, there is also provided an MQTT-based access authentication client, including:

the access authentication request device is used for sending the access authentication request of the client to the server equipment;

a subscription theme authentication request device, configured to send a subscription theme authentication request to the server device based on an access authentication result fed back by the server device;

the published message authentication request device is used for sending a published message authentication request to the server equipment based on the subscription theme authentication request result fed back by the server equipment;

and the connection determining device is used for determining connection with the server side equipment based on the issued message authentication result fed back by the server side equipment.

According to another aspect of the present application, there is also provided a service device for access authentication based on MQTT, wherein the service device includes:

the access authentication device is used for authenticating the client based on an access authentication request sent by the client and feeding back an access authentication result to the client;

the theme authentication device is used for judging whether the client successfully subscribes the theme or not based on the subscription theme authentication request sent by the client and feeding back the result of the subscription theme authentication request to the client;

and the message authentication device is used for determining an authentication result of the issued message according to the service quality in the message after receiving the message authentication request issued by the client, and determining the connection with the client according to the authentication result of the issued message.

Compared with the prior art, the access authentication request of the client side of the MQTT is sent to the server side equipment; sending a subscription subject authentication request to the server equipment based on an access authentication result fed back by the server equipment; sending a published message authentication request to the server equipment based on the result of the subscription theme authentication request fed back by the server equipment; and determining connection with the server side equipment based on the issued message authentication result fed back by the server side equipment. The method and the system realize the access authentication, the subscription authentication and the message authentication of the MQTT client and the management functions of the MQTT equipment, the MQTT equipment owner, the application program and the application program developer in the platform of the Internet of things, reduce the problems caused by configuration errors of the system, and provide a corresponding webpage interface to enable a user to use the system determined by the MQTT client and the server more intuitively.

Drawings

Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:

FIG. 1 illustrates a schematic flow chart of a method for MQTT-based access authentication at a client, according to an aspect of the present application;

FIG. 2 is a schematic interaction diagram illustrating access authentication between a client and a server in an embodiment of the present application;

fig. 3 shows a schematic structural diagram of an MQTT-based access authentication client according to another aspect of the present application.

The same or similar reference numbers in the drawings identify the same or similar elements.

Detailed Description

The present application is described in further detail below with reference to the attached figures.

In a typical configuration of the present application, the terminal, the device serving the network, and the trusted party each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.

Fig. 1 shows a schematic flow chart of a method for MQTT-based access authentication at a client according to an aspect of the present application, the method comprising: step S11 to step S14,

in step S11, sending an access authentication request of the MQTT client to a server device; in the embodiment of the application, the MQTT client is subjected to access authentication, where the access authentication includes access authentication of an MQTT device and access authentication of an Application (APP). Aiming at the access authentication requests of MQTT equipment and APP, different access authentication processes are provided, and management of the MQTT equipment and the MQTT equipment owning user, the APP and the APP development user is realized.

In step S12, sending a subscription subject authentication request to the server device based on the access authentication result fed back by the server device; in the embodiment of the application, after the access authentication is passed, the client of the MQTT can subscribe related topics, the topic subscription is performed according to a preset topic format, and if formats of other topics are tried, errors are caused, and the subscription fails.

In step S13, sending a publish message authentication request to the server device based on the result of the subscription topic authentication request fed back by the server device; in the embodiment of the application, after the topic is subscribed successfully, the client of the MQTT starts to PUBLISH the message, the topic names in the PUBLISH message, the PUBLISH message in the reply control message, and the PUBLISH message in the reply query message need to be according to a preset rule, and if the topic names are not published by using other topic names, the server is disconnected.

In step S14, a connection is determined with the server device based on the result of the authentication of the issue message fed back by the server device. When the authentication result of the issued message is successful, the connection between the client and the server is maintained, the secure transmission between the client and the server can be continued, and when the authentication result of the issued message is failed, the connection between the client and the server is disconnected, so that the accuracy and the security of the message transmission are ensured.

Preferably, when the client includes an MQTT device and an MQTT device owning user, in step S11, an application request of the MQTT device owning user and an access key and an encryption key of the MQTT device is sent to the server device; receiving unique identification information distributed by the server-side equipment to the MQTT equipment; and sending the access authentication request of the MQTT equipment to server-side equipment based on the access key, the encryption key and the unique identification information. Firstly, applying for an MQTT device to have a user owner account, and applying for an access key (accessKey) and an encryption key (secretKey) in a management interface; then, adding new MQTT equipment in the management interface, and allocating unique identification information deviceId to each MQTT equipment to be accessed, wherein the MQTT equipment is acquisition equipment of the intelligent park and can be accessed to a system of the intelligent park; it should be noted that the access key (accessKey) is used to access interfaces of some applications provided by the system, and is used for a User Name field (username field) in a connection (CONNECT) Message in the MQTT protocol, deviceId is used for a ClinetId field (client identifier) in the CONNECT Message in the MQTT protocol, secretekey is used for signing a ClinetId field (client identifier), wil Topic (legacy subject), wil Message, and User Name fields in a Payload Message in the CONNECT Message in the MQTT protocol, and a signature is used for a Password field in the CONNECT Message in the MQTT protocol.

It should be noted that the Will Topic and the Will Message are predefined topics and corresponding messages by the client, and are attached to the variable header of the CONNECT Message, and when the client connection is abnormal, the server issues the Message actively.

Preferably, in step S12, based on the access authentication result that the access authentication is successful and fed back by the server device, the MQTT device sends the subscription topic authentication request to the server through a topic subscription filter, where the topic subscription filter is determined according to the access key, the unique identification information, and the control message transmission channel of the user owned by the MQTT device, or according to the access key, the unique identification information, and the query message transmission channel of the user owned by the MQTT device. In an embodiment of the present application, when subscribing to a topic, it is necessary to use { { MQTT device possesses user's access key } }/{ { MQTT device ID } }/CONTROL, or { { MQTT device possesses user's access key } }/{ { MQTT device ID } }/QUERY as a topic filter, and attempting to subscribe to any other topic results in a failure, and after the subscription fails, the server sets 0x80 in the corresponding byte to indicate that the related topic is unsubscribed successfully. Wherein, CONTROL is a CONTROL message transmission channel, and QUERY is an inquiry message transmission channel.

Preferably, in step S13, based on the result of the subscription topic authentication request that is fed back by the server device and subscribed successfully, the published message authentication request is sent to the server device according to the topic name determined in the message. In an embodiment of the present application, the subject names in the message include: preferably, the method further comprises: determining a subject name in a message of the release message according to an access key of the MQTT device owned by a user, the unique identification information of the MQTT device and a data message transmission channel; determining a subject name in a message of the reply control message according to an access key of the user owned by the MQTT device, the unique identification information of the MQTT device and a control reply message transmission channel; and determining the subject name in the message replying the query message according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device and the query reply message transmission channel.

Here, after subscribing to a topic, the MQTT device starts to PUBLISH a message, a subject name in a PUBLISH message is set to { { access key of the device owner } }/{ { device ID } }/DATA, a subject name in a PUBLISH message of a reply control message is set to { { access key of the device owner } }/{ { device ID } }/copy, a subject name in a PUBLISH message of a reply query message is set to { { access key of the device owner } }/{ { device ID } }/QREPLY, trying other subject names will result in a fatal error, and illegally publishing using other subject names will result in disconnection of a service end; the device owner is an MQTT device owner user, DATA is a DATA message transmission channel, CRPLY is a control reply message transmission channel, and QREPLY is a query reply message transmission channel.

Preferably, the method further comprises: and step S15, the testament information in the message adopts a preset MQTT device message character string, and the subject format of the testament information is determined according to the access key of the MQTT device owning user, the unique identification information of the MQTT device and an offline message transmission channel. In an embodiment of the application, the testament message needs to be normalized, a fixed WizIOT OFFLINE character string is adopted, and the testament message subject format is { { access key of device owner } }/{ { device ID } }/{ { device ID, where WizIOT OFFLINE is a designed result and is mainly different from the testament message of the application APP, and ofline is an OFFLINE message transmission channel.

Preferably, when the client includes an MQTT device authorized by an application development user and the MQTT device owns a user, in step S11, an application request of the application, the application development user, the MQTT device owning user authorized by the application development user and an access key and an encryption key of the MQTT device is sent to the server device; receiving unique identification information respectively distributed by the server-side equipment for the application program and the MQTT equipment; and sending the access authentication request of the application program to server-side equipment based on the access key, the encryption key, the unique identification information of the MQTT equipment and the unique identification information of the application program. In an embodiment of the application, a server is preferably an internet of things platform background, applies for an accessKey and a secedetkey in a management interface of the background, and then obtains an AppId for each APP terminal that needs to be accessed in the internet of things platform background management interface, where the accessKey is used for a User Name field (User Name field) in a CONNECT Message in an MQTT protocol, and the AppId is a unique identifier of an application APP and used for signing a ClientId (client identifier), a WillTopic (Will theme), a willmessage (Will order Message), and a User Name field in a Payload in the CONNECT Message in the MQTT protocol.

In an embodiment of the present application, in step S12, based on an access authentication result that the access authentication is successful and fed back by the server device, the application program sends the subscription theme authentication request to the server through a theme subscription filter, where the theme subscription filter is determined according to at least any one of the following: determining the filter according to an access key of an owning user of the MQTT equipment authorized by the application program development user, the unique identification information of the MQTT equipment and a control message transmission channel; determining the filter according to an access key of an owning user of the MQTT equipment authorized by the application program development user, the unique identification information of the MQTT equipment and a query message transmission channel; determining the filter according to an access key of a user owning the MQTT equipment authorized by the application program development user, unique identification information of the MQTT equipment and a data message transmission channel; and determining the filter according to the access key of the user owning the MQTT equipment authorized by the application program development user and the unique identification information of the MQTT equipment.

Here, the APP terminal only has the right to subscribe to an authorized MQTT device of an APP developer to which the APP terminal belongs, after access authentication passes, the APP terminal may subscribe to a related topic, and the subscription topic uses access key of { { MQTT device owner } }/{ { MQTT device devild } }/credit or { { MQTT device owner 'access key } }/{ { MQTT device owner' deviceId } }/qrly or { { MQTT device owner 'access key } }/{ { MQTT device owner' deviceId } }/{ { MQTT device owner 'deviceId } }/} or { { MQTT device owner' access key } }/{ { MQTT device owner 'deviceId } } + or { { MQTT device owner's access key } }/{ { MQTT device } }/{ { MQTT device } truncated # as a topic filter, and an attempt to subscribe to a service at a service failure side corresponding to a related topic corresponding service 80 is shown as a failure.

Preferably, in step S13, based on the result of the successfully subscribed subscription topic authentication request fed back by the server device, the MQTT device authorized by the application program sends the published message authentication request to the server device according to the topic name determined in the message. In an embodiment of the present application, the subject names in the message include: the method for determining the subject name in the message for issuing the control message and the subject name in the message for issuing the query message comprises the following steps: determining the subject name in the message of the release control message according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device and a control message transmission channel; and determining the subject name in the message for issuing the query message according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device and the query message transmission channel.

Here, the APP terminal should start to PUBLISH the message after subscribing the topic, the APP terminal only has the right of authorized MQTT devices of the APP developers to PUBLISH the message, the topic name in the PUBLISH message for publishing the CONTROL message is set to { { accesekey of the MQTT device owner } }/{ { devicemid of the MQTT device } }/CONTROL, the topic name in the PUBLISH message for publishing the QUERY message is set to { { accesekey of the MQTT device owner } }/{ { devicemid of the MQTT device } }/QUERY, attempting to use other topic names will result in fatal errors, and when the publication is performed illegally using other topic names, the service end will be disconnected.

Preferably, the method further comprises: and step S15', the testament information in the message adopts a preset application program information character string, and the subject format of the testament information is determined according to the access key of the application program development user, the unique identification information of the application program and an off-line information transmission channel. In an embodiment of the application, a fixed WizIOTAPP OFFLINE character string is adopted, and the format of the subject of the will order message is { { access key of APP developer } }/{ { APP id } }/OFFLINE.

According to another aspect of the present application, there is provided a method of MQTT-based access authentication at a service device, the method comprising: step S21-step S23, wherein in step S21, the client is authenticated based on the access authentication request sent by the client of the MQTT, and an access authentication result is fed back to the client; in step S22, determining whether the client successfully subscribes to the topic based on the topic authentication request sent by the client, and feeding back the result of the topic authentication request to the client; in step S23, after receiving the message authentication request issued by the client, the method determines an authentication result of the issued message according to the service quality in the message, and determines connection with the client according to the authentication result of the issued message. In an embodiment of the application, the system comprises a server side and MQTT clients, access authentication, subscription authentication and message authentication are performed on the MQTT clients through the server side, and management functions of MQTT equipment, MQTT equipment owners, APP and APP developers in a platform are performed, so that authentication extension and safe transmission of the MQTT are realized, errors caused by configuration errors of the system are reduced, and a corresponding webpage interface is provided, so that a user can use the system more intuitively.

Preferably, in step S22, a subscription topic authentication request sent by the client is received; and judging whether the client successfully subscribes the theme or not according to the identification information, the theme of the will advice, the message of the will advice, the user name field and the password field of the client, and if not, setting an unsubscribed successful identification in the corresponding byte.

Fig. 2 is a schematic interaction diagram of access authentication between a client and a server in an embodiment of the present application. The access authentication, the subscription authentication and the Message authentication of the device are described by taking an MQTT device as an example, firstly, the MQTT device in a data service bus component carries out access authentication, and a data service bus of a server side feeds back an authentication result, wherein the authentication result is judged according to ClientID (client identifier), Will Topic, Will Message, User Name and Password fields of the accessed MQTT device, if the authentication result is legal, the authentication is successful, the MQTT device is successfully accessed, and further the MQTT device can communicate with a server through the MQTT. For the MQTT equipment with successful access authentication, starting to subscribe related topics, judging whether the MQTT equipment is successfully subscribed or not by the server side according to the subscribed topics, and if the MQTT equipment is failed, setting 0x80 in the corresponding byte. The MQTT equipment publishes a message, the server side judges whether the subject name of the published message is in a standard format required by presetting after receiving the message published by the MQTT equipment, if other subject names are illegally used, the connection between the server side and the MQTT equipment is disconnected, and the message publishing fails. If the topic name is legal, the message of the MQTT equipment is successfully published, normal communication is maintained with the server through the MQTT, and the confirmation of the published message is determined according to a QOS (quality of service) field in the PUBLISH message.

Preferably, when the client includes an MQTT device and an MQTT device owning user, in step S21, an application request of an access key and an encryption key of the MQTT device owning user and the MQTT device sent by the MQTT device owning user is received; adding the MQTT equipment to a management cluster according to the application request, and distributing unique identification information to the MQTT equipment; and receiving an access authentication request sent by the MQTT device based on the access key, the encryption key and the unique identification information. In an embodiment of the application, when performing access authentication, subscription authentication and message authentication of the MQTT device, first, according to an application of an MQTT device owner for a personal account number and an application of an access key and an encryption key of the MQTT device, an device ID is allocated to the MQTT device, the access key and the encryption key are respectively allocated to the MQTT device owner and the MQTT device owner, and the MQTT device is added to a management cluster, wherein the management cluster is preferably an internet of things platform management interface.

Preferably, when the client includes an MQTT device authorized by an application development user and the MQTT device owns a user, in step S21, an application request of the application, the application development user, the MQTT device owning user and an access key and an encryption key of the MQTT device sent by the MQTT device authorized by the application development user is received; adding the application program into a management cluster according to the application request, and respectively allocating unique identification information to the application program and the MQTT equipment; and receiving an access authentication request sent by the application program based on the access key, the encryption key, the unique identification information of the MQTT device and the unique identification information of the application program. In an embodiment of the present application, when performing access authentication, subscription authentication, and message authentication of an APP, first, according to an application of an APP terminal, unique identification information (APPId) of an application program is allocated to the APP terminal, and an access key and an encryption key are respectively allocated to the APP, a developer of the APP, an MQTT device authorized by the APP developer, and an owner of the MQTT device, and an access authentication request of the APP is received, thereby completing the access authentication of the APP.

The access authentication method based on the MQTT realizes access authentication, subscription authentication and message authentication of the MQTT client and management functions of acquisition equipment, acquisition equipment owners, APP and APP developers in an Internet of things platform, provides support for a Secure Socket Layer (SSL) and network communication (Websocket), reduces problems of the system caused by configuration errors, and provides a corresponding webpage interface to enable a user to use the system determined by the MQTT client and a server more intuitively.

Fig. 3 is a schematic structural diagram of an MQTT-based access authentication client according to another aspect of the present application, where the client includes: an access authentication request means 11, a subscription subject authentication request means 12, a published message authentication request means 13 and a connection determination means 14,

an access authentication request device 11, configured to send an access authentication request of the MQTT client to a server device; in the embodiment of the application, the MQTT client is subjected to access authentication, where the access authentication includes access authentication of an MQTT device and access authentication of an Application (APP). Aiming at the access authentication requests of MQTT equipment and APP, different access authentication processes are provided, and management of the MQTT equipment and the MQTT equipment owning user, the APP and the APP development user is realized.

A subscription theme authentication request device 12, configured to send a subscription theme authentication request to the server device based on the access authentication result fed back by the server device; in the embodiment of the application, after the access authentication is passed, the client of the MQTT can subscribe related topics, the topic subscription is performed according to a preset topic format, and if formats of other topics are tried, errors are caused, and the subscription fails.

A published message authentication request device 13, configured to send a published message authentication request to the server device based on a result of the subscription topic authentication request fed back by the server device; in the embodiment of the application, after the topic is subscribed successfully, the client of the MQTT starts to PUBLISH the message, the topic names in the PUBLISH message, the PUBLISH message in the reply control message, and the PUBLISH message in the reply query message need to be according to a preset rule, and if the topic names are not published by using other topic names, the server is disconnected.

And a connection determining device 14, configured to determine connection with the server device based on the authentication result of the release message fed back by the server device. When the authentication result of the issued message is successful, the connection between the client and the server is maintained, the secure transmission between the client and the server can be continued, and when the authentication result of the issued message is failed, the connection between the client and the server is disconnected, so that the accuracy and the security of the message transmission are ensured.

Preferably, when the client includes an MQTT device and an MQTT device owning user, the access authentication request device 11 is configured to send an application request of the MQTT device owning user and an access key and an encryption key of the MQTT device to the server device; receiving unique identification information distributed by the server-side equipment to the MQTT equipment; and sending the access authentication request of the MQTT equipment to server-side equipment based on the access key, the encryption key and the unique identification information. Firstly, applying for an MQTT device to have a user owner account, and applying for an access key (accessKey) and an encryption key (secretKey) in a management interface; then, adding new MQTT equipment in the management interface, and allocating unique identification information deviceId to each MQTT equipment to be accessed, wherein the MQTT equipment is acquisition equipment of the intelligent park and can be accessed to a system of the intelligent park; it should be noted that the access key (accessKey) is used to access interfaces of some applications provided by the system, and is used for a User Name field (username field) in a connection (CONNECT) Message in the MQTT protocol, deviceId is used for a ClinetId field (client identifier) in the CONNECT Message in the MQTT protocol, secretekey is used for signing a ClinetId field (client identifier), wil Topic (legacy subject), wil Message, and User Name fields in a Payload Message in the CONNECT Message in the MQTT protocol, and a signature is used for a Password field in the CONNECT Message in the MQTT protocol.

Preferably, the topic subscription authentication request device 12 is configured to, based on an access authentication result that the access authentication is successful and fed back by the server device, send, by the MQTT device, the topic subscription authentication request to the server through a topic subscription filter, where the topic subscription filter is determined according to an access key, unique identification information, and a control message transmission channel of a user owned by the MQTT device, or according to an access key, unique identification information, and a query message transmission channel of a user owned by the MQTT device. In an embodiment of the present application, when subscribing to a topic, it is necessary to use { { MQTT device possesses user's access key } }/{ { MQTT device ID } }/CONTROL, or { { MQTT device possesses user's access key } }/{ { MQTT device ID } }/QUERY as a topic filter, and attempting to subscribe to any other topic results in a failure, and after the subscription fails, the server sets 0x80 in the corresponding byte to indicate that the related topic is unsubscribed successfully. Wherein, CONTROL is a CONTROL message transmission channel, and QUERY is an inquiry message transmission channel.

Preferably, the published message authentication request device 13 is configured to send the published message authentication request to the server device according to the topic name determined in the packet based on the successfully subscribed topic authentication request result fed back by the server device. In an embodiment of the present application, the subject names in the message include: preferably, the client further includes: the topic name determining device is used for determining the topic name in the message of the release message according to the access key of the user owned by the MQTT equipment, the unique identification information of the MQTT equipment and a data message transmission channel; determining a subject name in a message of the reply control message according to an access key of the user owned by the MQTT device, the unique identification information of the MQTT device and a control reply message transmission channel; and determining the subject name in the message replying the query message according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device and the query reply message transmission channel.

Preferably, the client further comprises: the first specification device 15 is used for the will order message in the message to adopt a preset MQTT device message character string, and the subject format of the will order message is determined according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device and an offline message transmission channel. In an embodiment of the application, the testament message needs to be normalized, a fixed WizIOT OFFLINE character string is adopted, and the testament message subject format is { { access key of device owner } }/{ { device ID } }/{ { device ID, where WizIOT OFFLINE is a designed result and is mainly different from the testament message of the application APP, and ofline is an OFFLINE message transmission channel.

Preferably, when the client includes an MQTT device authorized by an application development user and the MQTT device owns a user, the access authentication request device 11 is configured to send, to the server device, application requests of the application, the application development user, the MQTT device owning user authorized by the application development user, and an access key and an encryption key of the MQTT device; receiving unique identification information respectively distributed by the server-side equipment for the application program and the MQTT equipment; and sending the access authentication request of the application program to server-side equipment based on the access key, the encryption key, the unique identification information of the MQTT equipment and the unique identification information of the application program. In an embodiment of the application, a server is preferably an internet of things platform background, applies for accessKey and secedetkey in a management interface of the background, and then obtains AppId for each APP terminal needing to be accessed in the internet of things platform background management interface, where the accessKey is used for a User Name field (User Name field) in a CONNECT Message in an MQTT protocol, and the AppId is a unique identifier of an application APP and used for signing a ClientId (client identifier), a Will Topic, a Will Message, and a User Name field in a Payload in the CONNECT Message in the MQTT protocol.

In an embodiment of the present application, the subscription theme authentication requesting device 12 is configured to, based on an access authentication result that the access authentication is successful and is fed back by the server device, send, by the application program, the subscription theme authentication request to the server through a filter of a subscription theme, where the filter of the subscription theme is determined according to at least any one of the following: determining the filter according to an access key of an owning user of the MQTT equipment authorized by the application program development user, the unique identification information of the MQTT equipment and a control message transmission channel; determining the filter according to an access key of an owning user of the MQTT equipment authorized by the application program development user, the unique identification information of the MQTT equipment and a query message transmission channel; determining the filter according to an access key of a user owning the MQTT equipment authorized by the application program development user, unique identification information of the MQTT equipment and a data message transmission channel; and determining the filter according to the access key of the user owning the MQTT equipment authorized by the application program development user and the unique identification information of the MQTT equipment.

Here, the APP terminal only has the right to subscribe to an authorized MQTT device of an APP developer to which the APP terminal belongs, after access authentication passes, the APP terminal may subscribe to a related topic, and the subscription topic uses { { accessekey of an MQTT device owner } }/{ { deviceId of the MQTT device } }/credit or { { accessekey of the MQTT device owner } }/{ { deviceId of the MQTT device owner } }/qrly or { { accesseid of the MQTT device owner } }/{ { deviceId of the MQTT device } }/{ { MQTT device } }/} or { { accesseid of the MQTT device owner } }/} + or { { accesseid of the MQTT device owner/}/{ { MQTT device } }/} as a topic, and after an attempt of subscription to any other related topic subscription service is made by a corresponding to a corresponding subscription service failure 80.

Preferably, the published message authentication request device 13 is configured to, based on a successfully subscribed subscription topic authentication request result fed back by the server device, send, by the MQTT device authorized by the application program, a published message authentication request to the server device according to a topic name determined in the packet. In an embodiment of the present application, the subject names in the message include: the client further comprises a subject name determining device which is used for determining the subject name in the message for issuing the control message according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device and the control message transmission channel; and determining the subject name in the message for issuing the query message according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device and the query message transmission channel.

Preferably, the client further comprises: and the second specification device 15' is used for determining the subject format of the will order message in the message by adopting a preset application message character string according to the access key of the application development user, the unique identification information of the application and an offline message transmission channel. In an embodiment of the application, a fixed WizIOT APP OFFLINE string is adopted, and the format of the subject of the will-information is { { access key of APP developer } }/{ { APP id } }/OFFLINE.

According to another aspect of the present application, there is also provided a service device for access authentication based on MQTT, the service device including: the system comprises an access authentication device 21, a theme authentication device 22 and a message authentication device 23, wherein the access authentication device 21 is used for authenticating a client based on an access authentication request sent by the client of the MQTT and feeding back an access authentication result to the client; the topic authentication device 22 is configured to determine whether the client successfully subscribes a topic based on the topic subscription authentication request sent by the client, and feed back a topic subscription authentication request result to the client; and the message authentication device 23 is configured to, after receiving the message authentication request issued by the client, determine an authentication result of the issued message according to the service quality in the message, and determine connection with the client according to the authentication result of the issued message. In an embodiment of the application, the system comprises a server side and MQTT clients, access authentication, subscription authentication and message authentication are performed on the MQTT clients through the server side, and management functions of MQTT equipment, MQTT equipment owners, APP and APP developers in a platform are performed, so that authentication extension and safe transmission of the MQTT are realized, errors caused by configuration errors of the system are reduced, and a corresponding webpage interface is provided, so that a user can use the system more intuitively.

Preferably, the topic authentication device 22 is configured to receive a subscription topic authentication request sent by the client; and judging whether the client successfully subscribes the theme or not according to the identification information, the theme of the will advice, the message of the will advice, the user name field and the password field of the client, and if not, setting an unsubscribed successful identification in the corresponding byte.

Preferably, when the client includes an MQTT device and an MQTT device owning user, the access authentication device 21 is configured to receive an application request of an access key and an encryption key of the MQTT device owning user and the MQTT device sent by the MQTT device owning user; adding the MQTT equipment to a management cluster according to the application request, and distributing unique identification information to the MQTT equipment; and receiving an access authentication request sent by the MQTT device based on the access key, the encryption key and the unique identification information. In an embodiment of the application, when performing access authentication, subscription authentication and message authentication of the MQTT device, first, according to an application of an MQTT device owner for a personal account number and an application of an access key and an encryption key of the MQTT device, an device ID is allocated to the MQTT device, the access key and the encryption key are respectively allocated to the MQTT device owner and the MQTT device owner, and the MQTT device is added to a management cluster, wherein the management cluster is preferably an internet of things platform management interface.

Preferably, when the client includes an MQTT device authorized by an application development user and the MQTT device owns a user, the access authentication device 21 is configured to receive an application request of an access key and an encryption key of the application, the application development user, the MQTT device owning user and the MQTT device sent by the MQTT device authorized by the application development user; adding the application program into a management cluster according to the application request, and respectively allocating unique identification information to the application program and the MQTT equipment; and receiving an access authentication request sent by the application program based on the access key, the encryption key, the unique identification information of the MQTT device and the unique identification information of the application program. In an embodiment of the present application, when performing access authentication, subscription authentication, and message authentication of an APP, first, according to an application of an APP terminal, unique identification information (APPId) of an application program is allocated to the APP terminal, and an access key and an encryption key are respectively allocated to the APP, a developer of the APP, an MQTT device authorized by the APP developer, and an owner of the MQTT device, and an access authentication request of the APP is received, thereby completing the access authentication of the APP.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, implemented using Application Specific Integrated Circuits (ASICs), general purpose computers or any other similar hardware devices. In one embodiment, the software programs of the present application may be executed by a processor to implement the steps or functions described above. Likewise, the software programs (including associated data structures) of the present application may be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Additionally, some of the steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.

In addition, some of the present application may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present application through the operation of the computer. Program instructions which invoke the methods of the present application may be stored on a fixed or removable recording medium and/or transmitted via a data stream on a broadcast or other signal-bearing medium and/or stored within a working memory of a computer device operating in accordance with the program instructions. An embodiment according to the present application comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or a solution according to the aforementioned embodiments of the present application.

It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.

Claims

1. A method of MQTT-based access authentication at a client, wherein the method comprises:

sending an access authentication request of the client side of the MQTT to server side equipment, wherein the client side comprises the MQTT equipment and an MQTT equipment owning user;

sending a subscription subject authentication request to the server equipment based on an access authentication result fed back by the server equipment; based on the successful subscription topic authentication request result fed back by the server-side equipment, sending a published message authentication request to the server-side equipment according to the topic name determined in the message, wherein the topic name determined in the message comprises: the subject name in the message of the release message, the subject name in the message of the reply control message and the subject name in the message of the reply inquiry message;

determining a subject name in a message replying to the query message according to an access key of a user owned by the MQTT device, the unique identification information of the MQTT device and a query reply message transmission channel;

determining connection with the server side equipment based on the issued message authentication result fed back by the server side equipment;

sending a subscription subject authentication request to the server device based on the access authentication result fed back by the server device, wherein the subscription subject authentication request comprises:

2. The method of claim 1, wherein sending the access authentication request of the client of the MQTT to the server device comprises:

3. The method of claim 1, wherein the method further comprises:

4. The method of claim 1, wherein the client comprises an MQTT device authorized by an application development user, and when the MQTT device owns the user, the method sends an access authentication request of the MQTT client to a server device, and comprises:

5. The method of claim 4, wherein sending a subscription topic authentication request to the server device based on the access authentication result fed back by the server device comprises:

6. The method of claim 5, wherein sending a publish message authentication request to the server device based on the result of the subscription topic authentication request fed back by the server device comprises:

7. The method of claim 6, wherein the subject name in the message comprises: a subject name in a message for issuing a control message and a subject name in a message for issuing a query message,

the method further comprises the following steps:

8. The method of claim 7, wherein the method further comprises:

9. A method of MQTT-based access authentication at a service device, wherein the method comprises:

authenticating the client based on an access authentication request sent by the client of the MQTT, wherein the client comprises MQTT equipment and an MQTT equipment owning user; feeding back an access authentication result to the client; judging whether the client successfully subscribes the theme or not based on a subscription theme authentication request sent by the client through a filter for subscribing the theme, and feeding back a result of the subscription theme authentication request to the client, wherein the filter for subscribing the theme is determined according to an access key, unique identification information and a control message transmission channel of a user owned by MQTT equipment, or determined according to the access key, the unique identification information and a query message transmission channel of the user owned by the MQTT equipment;

after receiving a message authentication request issued by the client, determining an issued message authentication result according to the service quality in the message, and determining connection with the client according to the issued message authentication result;

the issued message authentication request is sent by the client according to a topic name determined in a message, wherein the topic name determined in the message comprises: the method comprises the steps that a subject name in a message of a release message, a subject name in a message of a reply control message and a subject name in a message of a reply query message are determined by a client according to an access key of an MQTT device owner, unique identification information of the MQTT device and a data message transmission channel, the subject name in the message of the release message is determined by the client according to the access key of the MQTT device owner, the unique identification information of the MQTT device and a control reply message transmission channel, and the subject name in the message of the reply query message is determined by the client according to the access key of the MQTT device owner, the unique identification information of the MQTT device and the query reply message transmission channel.

10. The method of claim 9, wherein determining whether the client successfully subscribes to the topic based on the topic authentication request sent by the client comprises:

receiving a subscription subject authentication request sent by the client;

and judging whether the client successfully subscribes the theme or not according to the identification information, the theme of the will advice, the message of the will advice, the user name field and the password field of the client, and if not, setting an unsubscribed successful identification in the corresponding byte.

11. The method of claim 9, wherein authenticating the client based on an access authentication request sent by the client of the MQTT comprises:

receiving an application request of an access key and an encryption key of the MQTT equipment owning user and the MQTT equipment, which is sent by the MQTT equipment owning user;

adding the MQTT equipment to a management cluster according to the application request, and distributing unique identification information to the MQTT equipment;

and receiving an access authentication request sent by the MQTT device based on the access key, the encryption key and the unique identification information.

12. The method of claim 9, wherein the client comprises an MQTT device authorized by an application development user, and the authenticating the client based on an access authentication request sent by the client when the MQTT device owns the user comprises:

receiving application requests of the application program, the application program development user and an access key and an encryption key of an MQTT device which are sent by the MQTT device authorized by the application program development user;

adding the application program into a management cluster according to the application request, and respectively allocating unique identification information to the application program and the MQTT equipment;

and receiving an access authentication request sent by the application program based on the access key, the encryption key, the unique identification information of the MQTT device and the unique identification information of the application program.

13. An MQTT-based access authentication client, wherein the client comprises:

a subscription theme authentication request device, configured to send a subscription theme authentication request to the server device based on an access authentication result fed back by the server device, where the client includes MQTT devices and MQTT devices owning users;

a publish message authentication request device, configured to send a publish message authentication request to the server device according to a topic name determined in a packet based on a subscription topic authentication request result fed back by the server device, where the topic name determined in the packet includes: the subject name in the message of the release message, the subject name in the message of the reply control message and the subject name in the message of the reply inquiry message;

a topic name determining device, configured to determine a topic name in the message of the release message according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device, and the data message transmission channel, determine a topic name in the message of the reply control message according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device, and the control reply message transmission channel, and determine a topic name in the message of the reply query message according to the access key of the user owned by the MQTT device, the unique identification information of the MQTT device, and the query reply message transmission channel;

the connection determining device is used for determining connection with the server side equipment based on the issued message authentication result fed back by the server side equipment;

wherein the subscription theme authentication requesting means is configured to:

14. The client of claim 13, wherein the access authentication request device is configured to:

15. The client of claim 13, wherein the client further comprises:

the first specification device is used for enabling the besom message in the message to adopt a preset MQTT device message character string, and the subject format of the besom message is determined according to an access key of a user owned by the MQTT device, the unique identification information of the MQTT device and an offline message transmission channel.

16. The client according to claim 13, wherein the client comprises an MQTT device authorized by an application development user, and when the MQTT device owns a user, the access authentication request means is configured to:

17. The client of claim 16, wherein the subscription topic authentication requesting means is to:

18. The client of claim 17, wherein the published message authentication request means is configured to:

19. The client of claim 18, wherein the subject name in the message comprises: a subject name in a message for issuing a control message and a subject name in a message for issuing a query message,

the client further comprises a subject name determining device for:

20. The client of claim 19, wherein the client further comprises:

and the second specification device is used for adopting a preset application program message character string for the testament message in the message, and the subject format of the testament message is determined according to the access key of the application program development user, the unique identification information of the application program and an offline message transmission channel.

21. A service device for access authentication based on MQTT, wherein the service device comprises:

the access authentication device is used for authenticating the client based on an access authentication request sent by the client, wherein the client comprises MQTT equipment and MQTT equipment owning users; feeding back an access authentication result to the client;

the topic authentication device is used for judging whether the client successfully subscribes the topic or not based on a topic subscription authentication request sent by the client through a topic subscription filter and feeding back a topic subscription authentication request result to the client, wherein the topic subscription filter is determined according to an access key, unique identification information and a control message transmission channel of a user owned by MQTT equipment, or according to an access key, unique identification information and a query message transmission channel of a user owned by the MQTT equipment;

the message authentication device is used for determining an authentication result of the issued message according to the service quality in the message after receiving the message authentication request issued by the client, and determining the connection with the client according to the authentication result of the issued message;

22. The service device of claim 21, wherein the subject authentication means is configured to: receiving a subscription subject authentication request sent by the client;

23. The service device of claim 21, wherein the client comprises an MQTT device and the MQTT device owns the user, the access authentication means is configured to:

24. The service apparatus according to claim 21, wherein the client includes an MQTT device authorized by an application development user, and when the MQTT device owns a user, the access authentication means is configured to: